Judge: Microsoft must hand over Dublin data for crime investigation

Microsoft must turn over a user’s emails to U.S investigators investigating a narcotics case, according to a New York-based U.S. District Judge, Loretta A. Preska.

While that may not seem to be an unusual story, what makes it unique is that the information the investigators seek is stored in a Microsoft cloud data center in Dublin, Ireland.

Aye, there’s the rub. The ruling means that data stored overseas by U.S.-based corporations is still subject to U.S. extradition laws, even in the presence of laws in other countries that prohibit such things.

This is a bellwether case, one that has inflamed corporate passions to the point that several Microsoft competitors have coalesced around the Redmond, Wash.-based tech company. Joining Microsoft in this battle are heavy hitters such as Apple, Cisco Systems, Verizon and AT&T.

The judge’s ruling claimed that the overriding principle was who controlled the data, not where it was stored. Since Microsoft owned the data, it could retrieve it without running afoul of Irish law.

This is a complex situation, to be sure. There are many arguments pro and con, and validity to both viewpoints. The larger issue is that privacy law issues — which are still very much in flux — must be settled within the U.S. legal system, and they can then be applied to cases such as these.

In an editorial , Brad Smith, Microsoft General Counsel and executive vice president for legal and corporate affairs promotes the idea that the U.S. government can obtain emails only subject to the full legal protections of the Constitution’s Fourth Amendment (unreasonable search and seizure), meaning that the government must issue a search warrant; and search warrants are not enforceable beyond our shores.

Smith also noted that privacy protections under the law are stronger for personal communications, under which emails, texts and instant messaging should be covered. He also raises the spectre of turnabout, should other countries follow suit. He claims that Britain has already passed a law requiring tech companies to produce emails stored anywhere in the world. He makes the case that this could apply to American citizens’ emails stored in the U.S by a UK-based corporation.

Take home messages

1. Cloud computing is not private, nor do you have control. It’s basically “landlord tenant” law, where you are a mere tenant.

2. European law must apply within Europe. This is an issue of jurisdiction. It seems impossible to contemplate that a US judge could decide her courtroom has precedence over European Data Protection laws, but yet, this is this case before us.

3. It would be a wise move for the EU to mandate the use of encryption keys. Then mandate cloud storage to be encrypted.. and the keys held by EU only companies, so that “control” is not in the hands of US companies… the data is encrypted by order of the EU, and can only be released with an EU court order.